tcpdump is a CLI tool for capturing and displaying packets sent and received by network devices.
Questions tagged [tcpdump]
453 questions
163
votes
6 answers
How can I read pcap files in a friendly format?
a simple cat on the pcap file looks terrible:
$cat tcp_dump.pcap
?ò????YVJ?
JJ
?@@.?E
Tony
- 4,053
- 10
- 34
- 29
83
votes
3 answers
Human readable format for http headers with tcpdump
I would like to view the HTTP headers sent from Apache (listening on port 80) to Tomcat (on port 4080) in a Linux machine.
According to Wikipedia,
Header fields are colon-separated name-value pairs in clear-text string format.
I've tried some…
Adam Matan
- 12,504
- 19
- 54
- 73
65
votes
6 answers
How to capture ack or syn packets by Tcpdump?
I want to use a filter rule to capture only ack or syn packets. How do I do this?
larry
- 3,927
- 9
- 35
- 41
53
votes
5 answers
how to split a pcap file into a set of smaller ones
I have a huge pcap file (generated by tcpdump). When I try to open it in wireshark, the program just gets unresponsive. Is there a way to split a file in set of smaller ones to open them one by one?
The traffic captured in a file is generated by two…
facha
- 1,298
- 2
- 16
- 26
42
votes
7 answers
Monitoring HTTP traffic using tcpdump
To monitor HTTP traffic between a server and a web server, I'm currently using tcpdump. This works fine, but I'd like to get rid of some superfluous data in the output (I know about tcpflow and wireshark, but they're not readily available in my…
otto.poellath
- 545
- 1
- 5
- 9
37
votes
3 answers
Tcpdump on multiple interfaces
I need to capture traffic on a CentOS 5 server which acts as a web proxy with 2 wan interfaces and 1 LAN. In order to troubleshoot a weird proxy problem, I would like to have a capture of a full conversation. Since external connections are balanced…
Nahidul islam
- 371
- 1
- 3
- 3
34
votes
1 answer
Will tcpdump see packets that are being dropped by iptables?
I have a firewall with these simple rules:
iptables -A INPUT -p tcp -s 127.0.0.1/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.16.20/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000 -j REJECT
Now, suppose I am using…
Pablo Santa Cruz
- 1,084
- 4
- 18
- 24
33
votes
6 answers
How do I make tcpdump not print the tcp headers?
I tried this:
tcpdump -s 1500 -A -l -i eth0 '(port 6667) and (length > 74)'
I need only the ascii part of it. How do I remove the rest?
coder
- 343
- 1
- 3
- 5
31
votes
1 answer
Too many incorrect checksum errors in TCPDUMP
I find too many incorrect checksum errors from a TCPDUMP done on a GNU Linux 64bit server. There are close to 50% incorrect chekcsums in the export?
cksum 0xe61f (incorrect (-> 0x8c37)
How can we interpret this data? Does it affect performance a…
Vishal
- 415
- 1
- 4
- 6
29
votes
1 answer
tcpdump filter on network and subnet mask
I'm using the following tcpdump command:
tcpdump -w net75.out -s 0 host 65.207.95.222
I want to change the filter on the single host to be all addresses in the following subnet:
65.192.0.0/10
I have not been able to figure out how to specify a…
harrije
- 293
- 1
- 3
- 4
28
votes
9 answers
How to display interface in tcpdump output flow?
This seems to be quite a trivial problem, but after some searching I can't stil figure out the answer. One can run tcpdump using "any" as the interface description, ie:
# tcpdump -i any -n host 192.168.0.1
Is there any way to force tcpdump to show…
mdrozdziel
- 734
- 3
- 8
- 17
22
votes
7 answers
tcpdump: out.pcap: Permission denied
[root@localhost ~]# cat /etc/issue
Fedora release 17 (Beefy Miracle)
Kernel \r on an \m (\l)
[root@localhost ~]# uname -a
Linux localhost.localdomain 3.6.10-2.fc17.i686 #1 SMP Tue Dec 11 18:33:15 UTC 2012 i686 i686 i386 GNU/Linux
[root@localhost ~]#…
chobo
- 323
- 1
- 2
- 4
21
votes
4 answers
Monitor number of bytes transferred to/from IP address on port
Can anyone recommend a linux command line tool to monitor the number of bytes transferred between the local server and a specified IP address/port.
The equivalent tcpdump command would be:
tcpdump -s 0 -i any -w mycapture.trc port 80 host…
Mike
- 825
- 2
- 8
- 10
15
votes
2 answers
TCPDUMP - Capturing Packets on Multiple IP Address (FIlter)
What I need to do (via 'tcpdump' through Linux):
• ECommerce App Servers: 192.168.1.2, 192.168.1.3, 192.168.1.4. - This is what I want to capture on (filtered on these exact IPs). Not an IP range (subnet) or an individual IP address, just several…
Derek
- 183
- 1
- 2
- 5
14
votes
2 answers
CoreOS: tcpdump mysteriously solves network issue (excessive number of sockets used)
I've got a mystery for you today. We run a small, three node Elasticsearch cluster based on CoreOS (2023.5.0 / Linux 4.19.25-coreos) on Azure. Elasticsearch is run inside a docker container in host network mode. After running almost completely…
Stephan Klein
- 233
- 1
- 10